URL: https://github.com/freeipa/freeipa/pull/1024
Author: stlaz
Title: #1024: py3: turn all shebangs to python3
Action: opened
PR body:
"""
This patchset turns all shebangs in IPA scripts to Python 3. Note that this may seem like going against what we agreed on some two months ago but the outcome to turn everything to `/usr/bin/python` to use default python version would be a setback in the Fedora planning: https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 and there is no reason not to use the up-till-now long running Python 3 effort.
This also required to regenerate the `API.txt` file so that our checks don't fail to validate for python2/3 type discrepancies.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1024/head:pr1024
git checkout pr1024

URL: https://github.com/freeipa/freeipa/pull/837
Author: frasertweedale
Title: #837: ca-add: fix permission issue
Action: opened
PR body:
"""
The ca-add command pre_callback uses ldap.can_add() to check whether
the user has permission to add CAs. Alas, the GetEffectiveRights
control used by ldap.can_add() doesn't correctly interpret ACIs with
'targetfilter' constraints, and returns a false-negative for
non-admin users, even when they have the 'System: Add CA'
permission.
To work around this, add the CA object to FreeIPA before attempting
to create the CA in Dogtag. If the CA creation in Dogtag succeds,
the user then updates the FreeIPA object with the Authority ID and
other authoritative data returned by Dogtag. If the CA creation in
Dogtag fails, the user cleans up by deleting the newly-created CA
object from FreeIPA.
This modified procedure ensures that the user certainly has the
'System: Add CA' permission before the CA creation in Dogtag is
attempted. But it also means that the user must have 'write' and
'delete' permission on 'ipaca' objects in FreeIPA, so that it can
complete the object after CA creation in Dogtag, or clean up if that
step fails. Therefore, update the 'System: Add CA' permission to
confer 'write' and 'delete' access on 'ipaca' objects, as well as
'add' access.
Fixes: https://pagure.io/freeipa/issue/6609
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/837/head:pr837
git checkout pr837

URL: https://github.com/freeipa/freeipa/pull/1011
Author: tomaskrizek
Title: #1011: py3: dnssec
Action: opened
PR body:
"""
This PR is a partial fix that should allow DNSSEC installation for master. Keys will not be distributed to replicas. With my limited DNSSEC/IPA knowledge, I wasn't able to verify the data stored in LDAP are actually correct. In case they are not, this would prevent installation of DNSSEC replicas in the future.
Our DNSSEC tests are not passing, thus we can't use them to verify this PR. Given these circumstances, I propose to officially discourage DNSSEC installation in 4.6.0.
This PR supersedes #898. For review, it is highly recommended to rebase on #999.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1011/head:pr1011
git checkout pr1011